Penetration Tests and Cybersecurity Assessments: What Lawyers Need to Know

Episode Notes

Transcript

Digital Detectives

Penetration Tests and Cybersecurity Assessments What Lawyers Need to Know(1)

08/22/2020

 

[Music]

 

Intro: Welcome to Digital Detectives. Reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

 

[Music]

 

Sharon D. Nelson: Welcome to the 118th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises, a digital forensics, cyber security and information technology firm in Fairfax, Virginia.

 

John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today, on Digital Detectives, our topic is Penetration Tests and Cybersecurity Assessments What Lawyers Need to Know.

 

Sharon D. Nelson: Before we get started. I’d like to thank our sponsor. Thanks to our sponsor, Logical, Instant Discovery Software for modern legal teams. Logical offers perfectly predictable pricing at just $250.00 per matter per month. Create your free account at any time at logikcull.com/ltn.

 

John W. Simek: Today, our guest is Sensei’s very own Mike Maschke. Mike is the chief executive officer, director of cybersecurity and digital forensics at Sensei Enterprises Inc. and holds a degree in telecommunications from James Madison University. He also has a bunch of technical certifications as well and initials after his name. Mike, I’m not sure if it’s me or you that has more, but he’s testified as a cybersecurity expert and routinely performs security and vulnerability assessments for clients as well as data breach investigations throughout the country. It’s great to

have you on the podcast today, Mike.

 

Mike Maschke: Thank you both for having me.

 

Sharon D. Nelson: Well, we’re going to give you a softball question first. We only do one sort of promotional question so this is it. So, if you could just briefly describe the cybersecurity services that Sensei provides and the kind of clients that Sensei represents?

 

Mike Maschke: Of course. Of course. So, in Sensei, we are a managed cybersecurity provider and some of the services that we provide include vulnerability assessments, security assessments, data breach investigations, securing your computer systems and mobile devices as well as security awareness training. The types of industries that we aim to be our clients that we service include primarily illegal, but we also do work for a lot of other verticals, healthcare, education and other technology and financial sectors.

 

John W. Simek: So, Mike, I know it’s probably a big misconception for our listeners, but tell them what the difference is between the vulnerability assessment and penetration tests because they are different.

 

Mike Maschke: Absolutely. The penetration tests really will take the results of the vulnerability assessment one step further from the point of view of a hacker. For the vulnerability of tests, what we do and what that encompasses really is looking at your systems, your software, your devices, your servers, your cloud-based accounts and vendors and running software viewing configurations and trying to figure out what vulnerabilities there are, what holes there are in the software, in the configurations, in the settings. Identifying those and sort of ranking them based on how critical they are, how soon they need to be fixed and addressed and patched and providing that information to the client to take action. A penetration test really is

a vendor acting like a hacker or an attacker and trying to get into your network, get

into the client’s network from the outside typically and acting like an attacker once they are in to document what systems are able to break into, what user accounts they’re able to get access to, what systems are able to take down or what data they’re able to exfiltrate. And so, it’s really the goal of that is — the penetration testers will first identify the vulnerabilities they can exploit then they’ll actually take that step of exploiting them and documenting how they — what process they take

when they go through this and what systems are able to get into and what damage they are able to employ on the client.

 

John W. Simek: So, isn’t that fair to say Mike that the penetration test actually confirms that that you’re kind of screwed?

 

Mike Maschke: Yes. I mean, in the end if it’s — and we’ll get into this later. If it’s a penetration test where you know nothing about the client other than — you have permission to attack them and try to get into their networks and you do all the reconnaissance and you get into their systems and at the end of the engagement you say, “Here, I have your customer list or here I was able to get access to HIPAA data” yes, you can certainly say, “Hey, we got in and if you don’t fix or address this vulnerability that I exploited, here’s how you’re screwed, here’s the data, the sensitive information I was able to access.” And you can actually show them a copy of it.

 

(00:05:05)

 

So, it’s really interesting and trying to show in a real-world sense to somebody who thinks they may be invincible or you can’t get into our systems, why would we need that to actually work with them with permission to sort of really test their systems and try to exploit their devices to say, “Well, here’s how I got in and here’s what I had access to.

 

Sharon D. Nelson: And there’s a a fairly large difference I think in cost between assessments and penetration testing. So, we’ll get into that in a little bit, but for the moment, let’s start out because I think that there’s a lot of confusion about the different types of penetration tests. So, what are the differences between the

different kinds of tests?

 

Mike Maschke: Well, right off the bat, typically you’re going to have two different types. You’re going to have what’s called a white box test and a black box test and then sometimes you’re going to have hybrids of the two. So, with the white box penetration test, your vendor is actually working with the client sort of hand in hand.

Your penetration tester is going to get information about the client, you’re going to get the domain names or IP addresses, a list of user accounts, network diagrams and in a lot of cases, you’re going to have an administrator or privileged account already created or set up for you. So, essentially, you’re going in as the attacker or the hacker into the network with pre-populated information. So, you know sort of what processes and steps you’re going to carry out to get into the network and sort of once you’re in, how to move laterally within their network with the credentials that you’ve been given. You know what types of software you’re going to run beforehand because you know what systems you’re going to fond once you get inside their network. The black box penetration test is really where a vendor is engaged and it can be as simple as with permission, here’s the name of our company, tell me what you can fond.

 

And so, without knowing much of anything, without being provided a lot of information up front, the vendor then will attempt to perform external reconnaissance and sort of build their processes and game plan and an attempt to get access to the internal systems of the client and with that type of attack or that

type of a test, you have no idea the types of systems, the types of software, the types of security that is already in place by the client. So, you have to be prepared to run all of your tools in order to get in and attempt to exploit the systems. So, it’s a lot harder because you don’t know what you’re dealing with, you don’t have time to do research or anything like that and it’s not really set up for you to sort of step-by-step process on how to get into the network, you have to figure it out yourself.

 

John W. Simek: So, Mike, do you have any recommendations for how often firms

should test and review the security of their information systems?

 

Mike Maschke: Well, as far as the vulnerability assessments go, they don’t take as long to run for a large part of it, it’s an automated process with certainly some manual review and manual review of firewall configurations and network device

Configurations, but, you know, typically the firms should be doing that at least twice a year. I mean, the vulnerabilities that are out there change so much and change so rapidly that if a firm was to wait, to do it every year or every other year, honestly by the time that the vulnerability assessment is done, the reports given and the client

then sort of patches and fixes those vulnerabilities, in reality you could run it

again because who knows what new vulnerabilities have been found. I definitely recommend at least twice per year.

 

Sharon D. Nelson: And building into their budgets, too, right Mike?

 

Mike Maschke: Of course. And if they can plan accordingly, they can budget for the upcoming year to make the funds available for that type of assessment.

 

Sharon D. Nelson: Well, let me ask you another question that I think people ask a lot and that’s how long does the typical assessment and then a penetration test take from start to finish including when they might expect to receive the report?

 

Mike Maschke: So, the vulnerability assessment from start to finish, you’re probably talking one to two weeks if that probably closer to one week for the actual running of the software, they’re evaluating the results getting the report findings out to you and it’s critical to get the client, the report as soon as possible from when those assessment is performed because again, the longer you wait to deliver the report, the more stale the information contained in it becomes because the vulnerabilities change so frequently. The penetration test itself, that’s a more involved process and I really depend on whether it’s a white or a black box and what

information you’re given beforehand, but those can take easily several weeks depending on how large your network is and what the ultimate goal is. I mean, or what the terms of engagement are but definitely they could be several weeks and then the report, the write-up, the finance report at the end is a lot more than just with the vulnerability assessment because in the penetration testing report, in that deliverable often it’s included the software that’s ran, the commands that are included, the tester will often grab screenshots and document, there’s a lot more documentation once they get into the systems on how they got in and it will also include the vulnerabilities they exploited, what needs to be fixed sort of to address some of these holes that were found.

 

(00:10:27)

 

Sharon D. Nelson: As I think we have learned, it’s not unusual to see a report that goes on for 700 pages or more although a big chunk of it is the software reporting

less of it is the actual cybersecurity expert reporting back, right?

 

Mike Maschke: That is correct. I mean, the attachments alone to the main report can easily surpass hundreds of pages.

 

John W. Simek: Well, before we move on to our next segment. Let’s take a

quick commercial break.

 

[Music]

 

John W. Simek: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? Pinow.com is a one of a kind resource for locating investigators anywhere in the U.S and worldwide. The professionals listed on PINow understand the legal constraints of an investigation are up to date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.pinow.com.

 

[Music]

 

Trying to cut costs? You’re not alone. In today’s climate, a five-figure e-discovery bill per month is steep. Don’t pay that. Use logical to reduce expense and control your discovery process. Get started today for only $250.00 per matter and they’ll waive migration costs from competing platforms. For more information, visit logikcull.com/ltn.

 

[Music]

 

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Penetration Tests and Cybersecurity Assessments What Lawyers Need to Know. Today, our guest is Mike Maschke, the chief executive officer and director of cybersecurity and digital forensics at Sensei Enterprises.

 

John W. Simek: Well, Mike, I think the big question that’s on everybody’s mind that’s listening to this is what does a general vulnerability assessment and a penetration test cost?

 

Mike Maschke: Well, your vulnerability assessment a lot of that work is automated. So, it’s the running of specialized security software to identify and pinpoint vulnerabilities in the systems. Don’t get me wrong, there is some manual time and sort of setting up the software, going through the results and drafting report. So, for a small company, a small firm, we’re talking between 10-20 employees or a little bit more. You’re probably in the 5,000-10,000 range maybe on the lower end of employees. Now, if you get into penetration testing though the cost of those engagements because they do take much more time, they’re primarily all manual and going through results and trying to figure out how to exploit the device to get inside of network or system and that engagement will take place over several weeks. It could be easily talking in the tens of thousands of dollars for that type of engagement.

 

Sharon D. Nelson: That’s a big question for a lot of folks and for some of the smaller firms that lawyers from firms that may be listening, sometimes what they will do is they will forego penetration testing whether they should or not is a different question, but they do choose to forego it and they’ll do the vulnerability assessment and they’re more likely at the smaller firm level to do it once a year, wouldn’t you

say, Mike?

 

Mike Maschke: Absolutely. And it should be noted that much of the testing that can be done, can be done remotely. You don’t necessarily always have to default to pay somebody to come on site to run scans, to run tests, to interact with systems.

 

Sharon D. Nelson: That’s a very smart thing I think for a law firm to know is that you can choose whoever you want in many cases because they don’t have to be

in your geographic region.

 

Mike Maschke: That is correct. There’s always ways that vendors can get access

to your internal systems to run the necessary scans with some assistance from your outsourced IT staff or somebody there at the on-site. So, it can be done remotely.

 

Sharon D. Nelson: So, what information does a client have to gather together to prepare for the assessment or test because obviously you need to request some staff

before you actually start on an engagement?

 

Mike Maschke: Yes. So, of course, when we’re dealing with the vulnerability assessment, we’ll want to know from the client, we’ll want to see a network diagram,

number of users, number of employees, types of systems, types of computers, typically are they running encryption, do they give their employees mobile devices and in some cases, we want to see policies and procedures to review to get an idea of how the firm or the company treats security.

 

(00:15:25)

 

So, we have to get an idea of what it is we’re going to scan including the internet protocol address or block of addresses used by that client. So, we can do both an external scan of their IP address range as well as an internal scan of their information systems. Penetration test, it really depends on the type of engagement whether it’s a white box or a black box test or some sort of hybrid, but the more information in terms of a white box, you’re going to want to know everything for the vulnerability test, but you’re also going to be probably speaking with an IT admin or a technical person there at the firm to get more detail in regard to the configuration of their network devices, the software they used, the critical services that run on their network whether they’re running SQL server or hosting their own websites, et cetera. I mean, you’ll have a very in-depth knowledge of their network and require a lot of communication before the engagement begins to learn that information before you start.

 

John W. Simek: Well, I don’t think it’s any secret, Mike we’ve been in this work from home environment for five months roughly, but are you seeing firms taking cybersecurity more seriously now that we’re in this work from home environment?

 

Mike Maschke: I think it’s gotten better. I do think that cybersecurity has become at least something that firms are aware of now and can’t plead ignorance. I still would like to see more done from law firms as far as their employees go in terms of making sure they’re on company provided systems and not using home personal systems that might be shared with the family and making sure that their users have secure networks at home or using a VPN or some type of remote desktop to connect to their work to conduct their business, but I do overall see that they’re starting to take it more seriously just some of the steps that I’m seeing firms take to protect their client’s data, their confidential information of their matters. I do think they’re

definitely taking more steps, but is it where should be or needs to be? I wouldn’t say we’re quite there just yet.

 

John W. Simek: That’s a different question.

 

Mike Maschke: Yes, it is.

 

Sharon D. Nelson: It’s interesting because I agree with you that they are paying more attention. We’ve started to see an uptick in people asking for webinars on working remotely and securely and so they are now beginning to want their employees to have that information and I remember writing a blog post just a couple of days ago about the fact that some of the biggest brands we know whether it’s a Microsoft or Amazon, I mean, those very brands the ones that we know and trust are the ones that are being impersonated so often and so you’ll get an email or you’ll see something on Facebook because I haven’t taken it down yet and haven’t caught it, you’ll end up clicking on it and things like that are just so common that they really

need the training, but not everybody is doing that level of training and making sure they see what’s happening today and the kinds of attacks I would say have definitely changed. So, are there steps besides cybersecurity training for employees which I think is critical, but are there other things that you would recommend, Mike?

 

Mike Maschke: Absolutely. Well, to build on that foundation of cybersecurity training, firms really need to not only make sure there is antivirus and endpoint protection software on any device or endpoint connecting to their network, but more importantly, they need to make sure that if multi-factor or two-factor authentication is available whether it’s through a VPN service or remote desktop or Citrix solution or even on your Office 365 accounts or maybe if Google hosts your business accounts,

you need to enable it, you need to take advantage of that extra security protection that offers and we’re still seeing firms that haven’t taken that extra step to enable those necessary precautions. That’s in addition to making sure your business mobile devices like phones or tablets that may have confidential information or your client data are encrypted are set to wipe themselves sort of self-destruct after a number of invalid guesses to get into those devices in case they were lost, the ability to wipe them remotely. There are just some basic common-sense steps that firms can take

and a lot of the time it’s often at no extra cost the features are there, they just got to know they’re there and turn them on.

 

(00:20:02)

 

John W. Simek: So, lastly Mike. What kind of advice do you have for firms looking to increase their cybersecurity posture, they’re not huge, they’re not mega firms and they don’t have an endless budget especially since the economy is kind of fragile and we’re in these really uncertain times?

 

Mike Maschke: Well, there are certainly steps that firms can take that they’ll get a big bang in terms of the increase of their security posture for a very little cost. And again, I mentioned two-factor authentication on their email accounts like Office 365 accounts or for that matter any Cloud-based accounts and again, a lot of times they’re not paying extra for it, it’s just a matter of turning it on, enabling and training their users on how to use that authentication mechanism, secure access to the office network. I mean, whether you have a Windows laptop or an Apple system there are ways you can encrypt the hard drive whether it’s through FileVault 2 or a BitLocker to ensure that if you were to lose your, system these mobile systems that the information remains encrypted that can often be done at no additional cost, you can limit or educate your remote users that when they’re at home make sure they have the appropriate passwords on their systems that are — they have to change them every so often that their passwords — when they log into their computers or meet a certain complexity, meet their complexity requirements so a strong enforceable password policy is something that can easily be done again at no additional cost and really when you start to get down to what can they do for costs, small businesses firms you can always look to upgrade the quality of your router, do you have a business grade rattle that’s giving you intrusion detection capabilities or

intrusion prevention capabilities like the Cisco Meraki, it’s not a very expensive device, several hundred dollars for the device and then you pay subscription on top of that, but for the cost and the benefit, the protection it provides your systems is huge and it’s not a big expense even with endpoint protection software for your employee’s computers and mobile devices. Again, that’s a small monthly cost that gives you that peace of mind that when they’re using the devices from home that you at least have some sort of security software on them that is protecting them.

 

Sharon D. Nelson: Well, all of this has been tremendously helpful and I know people are thinking about it. I specifically wanted Mike to be on the show today just because he is so good at translating something that is very complex into something that lawyers can comprehend and I think there’s a lot of useful information about what they can do that’s free and not free and what they might like to at least think about and ask questions of folks. So, I would heap more praise upon you Mike, but as Mr. Spock once said in a Star Trek movie, “It would sound curiously self-serving.” So, I will not do that. Needless to say, he is the best CEO and a president and vice president could ever hope to have. So, thanks for taking the time out of your day, Mike.

 

Mike Maschke: I appreciate the offer guys and thank you for having me.

 

John W. Simek: That does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts and if you enjoyed our podcast, please rate us on Apple Podcast.

 

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.

 

John W. Simek: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

 

[Music]

Continue Reading